Change is hard, and the security industry faces a distinct lack of control in a number of areas, which is enough to cause panic attacks. In terms of access, IT can no longer rely on ownership of or control over devices. Consumption occurs on user-owned devices everywhere - often not even through corporate-controlled networks. IT organizations need to accept their lack of control over infrastructure. In fact they often don't even know how the underlying systems are constructed - servers and networks are virtual and opaque. Compute, storage, and networking are now beyond the direct control of staff. You cannot just walk down to the data center to figure out what is going on.